Search form

This function returns a complete form array for confirming an action. The
form contains a confirm button as well as a cancellation link that allows a
user to abort the action.

If the submit handler for a form that implements confirm_form() is invoked,
the user successfully confirmed the action. You should never directly
inspect $_POST to see if an action was confirmed.

Note - if the parameters $question, $description, $yes, or $no could contain
any user input (such as node titles or taxonomy terms), it is the
responsibility of the code calling confirm_form() to sanitize them first with
a function like check_plain() or filter_xss().

Here is a code example I made to have a blueprint of a form with a confirmation step. It's probably not ideal, but it works for me. (I didn't know how to get around the session variable to keep my information around until the last step.)

Thanks, your example was great. the only change i would recommend is instead of using session to store the variable, just store the values in the $form_state['storeage'] that way you have all the variables of the first form available.

The example displays user input without sanitising it, creating a XSS scenario. You should run the $form_state['values'] data through the check_plain() function before you output it, use a safe placeholder in the t() function or at least filter_xss() it.

Weird bit of code you've got there, doing that whole $yes = "Really?" thing- completely unnecessary and just assigns the string to the variable $yes that then does nothing afterwards. You can remove the assignment entirely from the function call and it would do the same thing.

If you are not validating the CSRF threat on the server side (using drupal token) while deleting any of drupal content using GET method, then you are introducing one using only Javascript confirm on the client side.

For eg,
If some logged in user has permission to delete the node, term, then if other user comments on any page using<img src='http://admin/structure/term/1/delete'>

Then if logged in user visits that page, then term 1 will get delete without him knowing!!